(ui) set httponly cookie, closes https://github.com/opnsense/core/issues/897

da71e1a0 · Ad Schellevis · b78720b8 · da71e1a0 · da71e1a0 · da71e1a0
Commit da71e1a0 authored Apr 18, 2016 by Ad Schellevis
Hide whitespace changes
Inline Side-by-side

Showing with 24 additions and 1 deletion

authgui.inc src/etc/inc/authgui.inc +4 -1

services.php src/opnsense/mvc/app/config/services.php +10 -0

services_api.php src/opnsense/mvc/app/config/services_api.php +10 -0

No files found.
--- a/src/etc/inc/authgui.inc
+++ b/src/etc/inc/authgui.inc
@@ -168,7 +168,10 @@ function session_auth(&$Login_Error)
    );
    if (session_status() == PHP_SESSION_NONE) {
-        session_start();
+        if (session_start()) {
+            $sess_name = session_name();
+            setcookie($sess_name, session_id(), null, '/', null, null, ($config['system']['webgui']['protocol'] == "https"));
+        }
    }
    // Detect protocol change

--- a/src/opnsense/mvc/app/config/services.php
+++ b/src/opnsense/mvc/app/config/services.php
@@ -7,6 +7,7 @@ use Phalcon\Db\Adapter\Pdo\Mysql as DbAdapter;
 use Phalcon\Mvc\View\Engine\Volt as VoltEngine;
 use Phalcon\Mvc\Model\Metadata\Memory as MetaDataAdapter;
 use Phalcon\Session\Adapter\Files as SessionAdapter;
+use OPNsense\Core\Config;
 /**
 * The FactoryDefault Dependency Injector automatically register the right services providing a full stack framework
@@ -75,6 +76,15 @@ $di->set('modelsMetadata', function () {
 $di->setShared('session', function () {
    $session = new SessionAdapter();
    $session->start();
+    // Set session response cookie, unfortunalty we need to read the config here to determine if secure option is
+    // a valid choice.
+    $cnf = Config::getInstance();
+    if ((string)$cnf->object()->system->webgui->protocol == 'https') {
+        $secure = true;
+    } else {
+        $secure = false;
+    }
+    setcookie(session_name(), session_id(), null, '/', null, $secure, true);
    return $session;
 });

--- a/src/opnsense/mvc/app/config/services_api.php
+++ b/src/opnsense/mvc/app/config/services_api.php
@@ -34,6 +34,7 @@ use Phalcon\Mvc\Url as UrlResolver;
 use Phalcon\Mvc\View;
 use Phalcon\Mvc\Model\Metadata\Memory as MetaDataAdapter;
 use Phalcon\Session\Adapter\Files as SessionAdapter;
+use OPNsense\Core\Config;
 /**
 * The FactoryDefault Dependency Injector automatically register the right services providing a full stack framework
@@ -62,6 +63,15 @@ $di->set('url', function () use ($config) {
 $di->setShared('session', function () {
    $session = new SessionAdapter();
    $session->start();
+    // Set session response cookie, unfortunalty we need to read the config here to determine if secure option is
+    // a valid choice.
+    $cnf = Config::getInstance();
+    if ((string)$cnf->object()->system->webgui->protocol == 'https') {
+        $secure = true;
+    } else {
+        $secure = false;
+    }
+    setcookie(session_name(), session_id(), null, '/', null, $secure, true);
    return $session;
 });